Saturday, September 13, 2014

Something to grab the attention of my Intro to Computer Security class.
Glyn Moody writes:
Three years ago, Techdirt wrote about how German politician Malte Spitz obtained six months’ worth of basic geolocation data for his mobile phone. He then gave this to the German newspaper Die Zeit, which produced a great visualization of his travels during this time. That showed clearly how much was revealed from such basic data. Since then, of course, metadata has assumed an even greater importance, as it has emerged that the NSA routinely gathers huge quantities of it about innocent citizens. More chillingly, we also know that people are killed purely because of their metadata. But what exactly does metadata show about us? We now have a better idea thanks to the generosity of Ton Siedsma from Holland. He has allowed researchers to access not just the geolocation data of his mobile phone, but all of its metadata:
Read more on TechDirt.


I admit I did not anticipate this argument. If Big Brother is not watching you, you may not feel his love?
The Rise of Data Poverty in America
by Sabrina I. Pacifici on Sep 12, 2014
“Data-driven innovations offer enormous opportunities to advance important societal goals. However, to take advantage of these opportunities, individuals must have access to high-quality data about themselves and their communities. If certain groups routinely do not have data collected about them, their problems may be overlooked and their communities held back in spite of progress elsewhere. Given this risk, policymakers should begin a concerted effort to address the “data divide”—the social and economic inequalities that may result from a lack of collection or use of data about individuals or communities.”


Sort of a “Heads up” from a Supreme. We should probably listen.
Lily Hay Newman reports:
Justice Sonia Sotomayor told law students and faculty at Oklahoma City University on Thursday that Americans should be feeling very concerned about the potential for drones to compromise personal privacy.
According to the Wall Street Journal, she said she thinks that as drones become more ubiquitous, they will encroach on physical spaces that have traditionally been respected as private. And she emphasized that citizens should channel their concern into more active involvement in privacy debates nationwide.
Read more on Slate.

(Related)
A new article by Joel Reidenberg is available on SSRN: “Privacy in Public.”
Abstract:
As government and private companies rapidly expand the infrastructure of surveillance from cameras on every street corner to facial recognition for photographs on social media sites, privacy doctrines built on seclusion are at odds with technological advances. This essay addresses a key conceptual problem in US privacy law identified by Justice Sotomayor in U.S. v. Jones and by Justice Scalia in Kyllo v. U.S.; namely that technological capabilities undermine the meaning of the third-party doctrine and the 4th Amendment’s ‘reasonable expectation of privacy’ standard. The essay argues that the conceptual problem derives from the evolution of three stages of development in the public nature of personal information culminating in the ubiquitous transparency of citizens. This ubiquitous transparency destroys any “reasonable expectation of privacy.” The essay then argues that transparency without privacy protection challenges the democratic values of public safety and fair governance. To restore the balance and relocate privacy away from the no longer workable “reasonable expectation” standard, the essay argues for a new normative approach to privacy that would protect observable activity where such activity is not “governance related,” but rather “private regarding.” The essay concludes by showing that this distinction is consistent with the First Amendment and draws on established doctrines in tort law and First Amendment jurisprudence.
You can download the article here.


Something for Student Privacy Day?
Tanya Roscorla reports:
As the legislative session wraps up, student data privacy bills are headed to the books in 20 states.
State policymakers introduced 110 bills on student data privacy in 36 states this session, with 30 of them passing both houses and 24 being signed into law, according to an analysis by the Data Quality Campaign. Four companion bills were not signed into law because they did the same thing that their counterparts did in the other house, and two bills in California are still on the governor’s desk for review.
Read more on Government Technology.


Social is increasing in importance and Microsoft is becoming a real tool for business. Who knew?
Gartner names Microsoft a leader in social software in the workplace
Gartner is a technology research firm and one of their evaluation techniques are "Magic Quadrants." In a study evaluating Enterprise Social Software, they named Microsoft as a 'Leader.' You can see their quadrant for this study below.
… Gartner favors Microsoft because of their integration of components of Office 365 and easy access to features of Exchange, SharePoint, Yammer, and Lync. Microsoft has also shown off a road map for products such as Office 365 which show deeper integration and enhancements. Lastly, viability - the interest and adoption of Microsoft products, such as Office 365, is very high.
Some cautions Gartner has about Microsoft is the change in architecture, which involve unanticipated migrations; a faster pace of innovation than some customers find easy to keep up with; and lastly, a complexity of product bundles that create confusion in choice.
Other leaders in the quadrant include IBM, Jive, Salesforce, and Tibco Software. However, Microsoft is no doubt pleased that they are the most upper-right in the quadrant.
You can read the full study here.


An interesting summary
The Dark Side of Big Data
… GE declares in an online video that the Industrial Internet, a.k.a. the Internet of Things, will bring us “a faster, safer, cleaner, more productive world.
… The immediate concern is that there simply are not enough experts—engineers, Big Data analysts and computer scientists — to cope with the huge amount of data that is rapidly accumulating.
… Much of the historic government data that exists, he pointed out, is inconsistent and incompatible with current databases. “Most of these systems were never designed to release data external to government,” he said, “so you need a bridge between the legacy environment and the data environment.”


Think this will ever happen here?
Libraries may digitize books without permission, EU top court rules
by Sabrina I. Pacifici on Sep 12, 2014
Loek Essers - PC World: “European libraries may digitize books and make them available at electronic reading points without first gaining consent of the copyright holder, the highest European Union court ruled Thursday. The Court of Justice of the European Union (CJEU) ruled in a case in which the Technical University of Darmstadt digitized a book published by German publishing house Eugen Ulmer in order to make it available at its electronic reading posts, but refused to license the publisher’s electronic textbooks. Eugen Ulmer sought to prevent the university from digitizing the book and also wanted to prevent users of the library from printing out the book or copying it to a USB stick for use outside the library, the CJEU said in a news release.”


A small percentage of a really big number...
Apple to get 0.15 percent cut of purchase value for every payment made with Apple Pay
… According to The Financial Times, the company is eligible to get a 0.15 percent cut of the purchase value every time a customer uses Apple Pay.
“Bank chief executives fawned about the ‘exceptional customer experience’ and the ‘exciting move’.” The Financial Times reports. “They are also paying hard cash for the privilege of being involved
… That is an unprecedented deal, giving Apple a share of the payments’ economics that rivals such as Google do not get for their services.”
Click here for a list of merchants and apps that have signed up for Apple Pay.

(Related) Posturing for a better deal. They would never turn down payment.
Walmart says it will not join Apple Pay system; rallies behind CurrentC method instead
… Walmart - which has a massive customer base - has decided to rally behind the CurrentC mobile payment method instead.
… Though Walmart representatives have not offered any explanation behind the retailer's decision to support CurrentC mobile payment system rather than Apple Pay, the move is apparently rooted in the fact that the financial incentive to join Current C may be higher than that for Apple Pay.
Moreover, if the testing of CurrentC is successful and the system is widely accepted, it could bring about a fundamental change in the credit and debit card mechanism. The system will essentially allow customers to either load cash into the app or allow the app to withdraw funds directly out of a checking or savings account; without any link to a credit card. As such, Walmart and other CurrentC partners will not have to pay 'swipe' charges to banks.


Technology.
Tiny ant-sized radio developed by Stanford engineers
A tiny, ant-sized radio has been developed by engineers at Stanford University, which is small enough and cheap enough that it could be used for a wide variety of applications, specifically "Internet of Things".
… All the energy required to power the chip is harvested from background electromagnetic fields, so there's no need for a battery or other power source. That said, if a single AAA battery were connected to provide power, the chip would be able to function for more than 100 years.


For my business majors: I didn't think they were all that good 10 years ago.
The real Italian debate on salting pasta water—not if, but when
It took a 300-page hedge fund report to tell Olive Garden that they had a big problem—there’s no salt in the pasta.
… The report, which was filed by activist hedge fund Starboard, says the chain made a business decision to stop salting its pasta. (Apparently, it enabled them to get an extended warranty on pots.)
“The first step in any pasta recipe is to put water in a big pot and salt it,” wrote Starboard analysts in their report.


For my iPhone toting students. (I select a couple)
Free Apps
MyScript Smart Note ($7.99, now free)
It’s a note-taking app with a focus on handwriting, jotting down notes, equations, drawings and more.
This Is Not A Test is a survival challenge like no other. If you enjoyed any of the Fallout games, The Walking Dead comics or pen-and-paper RPGs you might want to check ths out.


I can't believe this is free every week.
Via The LA Times, “L.A. Unified Supt. John Deasy has filed a public records request seeking emails and other documents involving school board members and nearly two dozen companies including those at the center of the controversial iPad project.”
Meanwhile, the LAUSD Board has voted to destroy its emails after 1 year. Nothing to see here. Move along…
edX launches classes (and college counseling) for high school students. Most of the classes are AP ones, which will be offered for free, but there’s a fee for certificates.
… Almost 12% of Harvard students are enrolled in “Introduction to Computer Science 1” this semester – a record-breaking number.
… “Twenty percent of NCAA athletes admit to participating in fantasy sports leagues with entry fees and cash prizes, according to a survey conducted last year by the NCAA.” That’s against the rules.
… The OECD has released its 2014 report “Education at a Glance” – where 570 pages equals “glance.”

Friday, September 12, 2014

For my Ethical Hackers. Twice the potential for attacks, but one solution works for both?
Chinese Attack Groups Operate in Parallel in Cyber Espionage Campaigns: FireEye
Researchers at FireEye have discovered two attack campaigns being orchestrated by different groups in separate regions of China that appear to be operating in parallel.
The attack campaigns are focused on different targets. According to a team of FireEye researchers, the first group - which has been named Moafee - appears to operate from the Guangdong Province and is targeting military and government organizations in countries with interests in the South China Sea. This includes targets within the defense industry in the United States.
The second group, known as DragonOK, is focused on high-tech and manufacturing companies in Japan and Taiwan with the likely goal of economic espionage, according to the researchers.


Retailers: you should be paranoid; they are out to get you.
Report Puts PoS Malware Under the Microscope
If you think there has been a rise in point-of-sale malware lately, you are not imagining things.
In a new paper released today, Trend Micro examines the continued growth of point-of-sale (PoS) malware.
Businesses in the United States have been the biggest targets of PoS malware. According to Trend Micro, roughly 74 percent of PoS malware detections between April and June have been in the U.S.
The report recommends PoS system operators follow best practices for security, including the use of multitier firewalls to protect networks and restricting access to the Internet on PoS systems.

(Related) Where does “Best Practice” stop and “Excessive” begin?
Alden Abbott writes:
Abstract
Over the past decade, the Federal Trade Commission, the federal government’s primary consumer protection agency, has pursued over 50 enforcement actions against companies that it deemed had “inadequate” data security practices. However, data security costs due to FTC actions will be passed on at least in part to consumers [Cost per consumer should be negligible. Bob] and should be weighed against the benefits in reduced data breaches. The FTC should carefully consider whether its current policies in this area are cost-beneficial and whether specific reforms would advance the public interest in enhancing data protection in a less burdensome, more welfare-enhancing fashion. The focus should be on punishing data thieves, not on imposing excessive regulatory burdens on legitimate businesses—burdens that could weaken the private sector and impose unwarranted [??? Bob] costs on consumers.
Read more on Heritage Foundation.


A Privacy lesson for my Computer Security class.
Metadata – The Information About Your Information
What if someone could tell that you were going to have credit problems before you knew? Could they deny your loan or quote you higher interest rates? What if someone knew that you were having medical problems even before you knew? Could they use that to deny you insurance? What if you’ve been talking with someone who DOES have something to hide? Could you get lumped in with them if they get arrested?
… You know the answers to those questions. It’s yes. Now you’re wondering, “How could anyone possible know that about me without searching through my mail, e-mail, or phone calls? They need a warrant for that!”
You are correct, they do need a warrant. But they don’t need a warrant to get information, or metadata, about your mail, e-mail, or phone calls. You WILL be surprised what someone can tell you about you just from something as seemingly insignificant as who sent you an e-mail, to whom you sent an e-mail, when the e-mails were sent and how many e-mails there are between you and your contact. All that information is available without a warrant.
… If you don’t believe that someone can tell intimate details about you from simple metadata, test it out for yourself. MIT has developed a program called Immersion that, only with your permission, gathers metadata about your e-mail account. The metadata is pretty limited too; there’s more that could be collected.


I don't think these are related, other than by an “everyone is doing it” meme. What can Mom & Dad do to prevent it?
Jim Holt reports:
Two Saugus High School students were arrested for posting “inappropriate photos” on social media, a spokeswoman for the William S. Hart Union School District said Thursday.
The ages and identities of the suspects arrested Wednesday were not disclosed, said district spokeswoman Gail Pinsker, citing student privacy laws.
[...]
Sheriff’s Special Victims Bureau detectives have investigated reports about Santa Clarita Valley teens posting nude photographs of each other on social media since July.
In mid-July, Hudson said some Santa Clarita Valley teens were identified in nude photographs posted on a Twitter account. The investigation centered around a Twitter account called SCV Purge.
Read more on SIGNALscv.com
[From the article:
“Anytime we have pictures of children that are nude, it’s child porn,” Hudson said. [Really? Bob]

(Related)
Evan Lambert reports:
Two teens were cited for sexting after police said they shared a nude photo of a girl while in class at West Port High School in Marion County.
The boys, 14 and 15, were cited under Florida’s sexting statute, which makes a first-time offense a civil infraction and not a crime for minors.
Read more on ClickOrlando.
The girl whose picture was involved reportedly told police that it had been edited via Photoshop. So what are the police doing about the fact that a minor’s nude photo was on Instagram, edited? Is this harassment or “revenge porn?” Is this child porn?
And is 8 hours of community service really a deterrent compared to teenage curiosity and hormones?
I’m glad that children’s lives won’t be ruined by criminal charges on their records for somewhat normal teen curiosity/behavior, but is this approach likely to be effective? I tend to doubt it.
[From the article:
The boys, 14 and 15, were cited under Florida's sexting statute, which makes a first-time offense a civil infraction and not a crime for minors.
The first teen was cited for possessing and distributing the nude photo, while the second was cited for distributing it. Police said since the photo was sent to his mother's phone he wasn't charged with possession.


I can't wait for the government to take over health care records and make it absolutely impossible for this to happen. (Yes, that was sarcasm.) I should have my Computer Security students read this.
If you read only one thing today, read this.
Shannon Pettypiece and Jordan Robertson report:
Dan Abate doesn’t have diabetes nor is he aware of any obvious link to the disease. Try telling that to data miners.
The 42-year-old information technology worker’s name recently showed up in a database of millions of people with “diabetes interest” sold by Acxiom Corp. (ACXM), one of the world’s biggest data brokers. One buyer, data reseller Exact Data, posted Abate’s name and address online, along with 100 others, under the header Sample Diabetes Mailing List. It’s just one of hundreds of medical databases up for sale to marketers.
Read more on Bloomberg.


Should be interesting. My first reaction was that the answer would be along the lines of: “Hey, I not in buying mode.” That may be a bit simplistic. I hope they release the results.
Facebook wants your feedback about ads it delivers. So that it can deliver more ads
Facebook wants users to weigh in on the ads shown on their news feeds, which is why the social network has rolled out a new tool that lets users provide specific feedback on why they hide ads.
The tool builds upon an earlier feature that allows Facebook users to hide specific ads on their news feeds. But with more than 1.5 million advertisers on Facebook's advertising network, it is important for the social network to come up with more ways to let them deliver more relevant ads to users. Thus, it came up with a new feedback-generating tool that prompts users to choose from a list of reasons why they opted a certain ad.

(Related) Interesting question? Could be viewed as a “psych profile.” Would that make it a medical record?
Éloïse Gratton writes:
The Economist published a great piece on behavioral advertising today: “Getting to know you: Everything people do online is avidly followed by advertisers and third-party trackers”. The article discusses the fact that gathering information about users and grouping them into sellable “segments” has become important for the $120 billion online advertising economy.
The article raises an interesting point: industry players often take the position that since they do not know the users’ names, what they are collecting is not in fact “personal information”. They identify users by numbers, and build up detailed profiles about them. In Canada, the Office of the Privacy Commissioner has closed the door on the issue in its 2012 Policy Position on Online Behavioural Advertising and usually considers profiles created for behavioral marketing as “personal information”:
Read more on Éloïse Gratton.


1500 pages doesn't sound like much in a world of billions of searches per day...
Yahoo Faced Big U.S. Fines Over User Data
A secret legal battle between the U.S. government and Yahoo Inc. over requests for customer data became so acrimonious in 2008 that the government wanted to charge the Internet company $250,000 a day if it didn't comply.
Yahoo made the threat public Thursday after a special federal court unsealed 1,500 pages of legal documents from a once-classified court battle over the scope of National Security Agency surveillance programs. The documents shed new light on tensions between American technology companies and the intelligence community long before former NSA contractor Edward Snowden began leaking in 2013.
… Court documents don't reveal exactly what the government wanted from Yahoo. In one brief, Yahoo states the main issue of the case is whether the Constitution protects the communications of U.S. citizens or legal residents believed to be outside the U.S.


I always ask, “What strategy would you adopt for intelligence?” If the response is a variation of, “Gentlemen do not read another gentleman's mail.” I label them idiots and stop listening.
Glyn Moody writes:
Although the scale of the surveillance being carried out by the NSA and GCHQ is daunting, digital rights groups are starting to fight back using the various legal options available to them. That’s particularly the case for the UK, where activists are trying to penetrate the obsessive secrecy that surrounds GCHQ’s spying activities. Back in December, we wrote about three groups bringing an action against GCHQ in the European Court of Human Rights (ECHR), and how Amnesty International is using the UK’s Investigatory Powers Tribunal (IPT) to challenge the spying.
Another organization that filed a complaint against the UK government at the IPT is Privacy International. But not content with that, it has now taken further legal action, this time in order to obtain information about GCHQ’s role in the “Five Eyes” system, the global surveillance club made up of the US, UK, Canada, Australia and New Zealand:
Read more on TechDirt.


For my students. New features creates a need for new Apps.
The Next Great Gold Rush: Apps and Accessories for the Apple Watch
Every time Apple modifies a connector, changes a form factor, or launches a new gadget, it impacts countless companies. There’s a robust third-party market for anything and everything that attaches to or wraps around the iPhone, one that’s constantly adapting to the evolving shapes, sizes, and specs of new handsets.
Now that the Apple Watch is official, we’re going to see an entirely new frontier of accessories and apps.
It’s fitting that even as Apple announced the Watch, it killed the iPod Classic. The iPod was the device that created the initial wave of third-party iAccessories, from alarm clocks to speaker docks and, of course, protective cases.
… Sure, it has Siri and heart rate and motion sensors. And a really cool UI. But it doesn’t have a camera, it doesn’t have a headphone jack and there aren’t any connectivity options. In fact, beyond its magnetic induction-charging surface, it doesn’t appear to have any physical I/O ports at all.
… But the main appeal of the Apple Watch likely will come through its built-in accelerometer and bite-sized third-party apps. Though the watch will have its own suite of fitness apps, Apple will share workout data with other apps. The accelerometer will be used to do more than track fitness, too: Apple hinted you’ll be able to control the Apple TV with it. Down the line, that kind of wrist-mounted motion sensor might be used for everything from Leap Motion-like iPad or Mac navigation to a means of moving through Oculus Rift games.

(Related) How popular is the new iPhone?
Hit for 6: iPhone 6 pre-order demand crashes networks
… At the time of writing, Vodafone's is the only network with a working pre-order page. O2's online shop is down under the demand for the new phone, while EE's entire website is offline. EE has yet to confirm whether that's a result of increased traffic from customers interested in buying the iPhone from the network with the widest 4G coverage.
Meanwhile Three will open pre-orders this afternoon. Virgin Mobile is also selling the new phones, but pre-orders aren't open yet and no expected time has been given.

(Related) If you can only make “millions,” lots of companies won't be interested.
Jasper Hamill reports:
Tech firms are set to experience a biometric bonanza – as long as they can persuade ordinary folk to give up worrying about their privacy.
That’s the claim in a briefing note from “growth consulting firm” Frost & Sullivan, which suggested the number of smartphones equipped with biometric gubbins will soar from 43 million to 471 million by 2017.
This, according to the beancounters, means the biometric revenue from smart phones will soar from increase from $53.6m in 2313 to $396.2m in 2019, amounting to an annual growth rate of 39.6 per cent.
Read more on The Register.


Another great talk for my Statistics class.
Hans and Ola Rosling: How not to be ignorant about the world


If the iPad can do this, imagine what the iPhone6 can do! (Yes, I am easily amused.)
iPad Magician Blows Kids’ Minds With LEGO


Also amusing, but much geekier.
Bach’s Music on a Moebius Strip

Thursday, September 11, 2014

No more security breaches? Not likely, but this is one path to the future.
How Apple Pushes Entire Industries Forward
Yesterday, hardware stole the show at the Apple unveiling. But Apple’s most impressive achievement on display at yesterday’s announcement was not a technological feat — although the technology on display was certainly impressive.
Apple’s great feat was the use of their scale to swiftly get the world lined up behind a new model for payments. Apple Pay will be more secure, it will be easier, and it will probably be more profitable for the payments industry as a whole by shifting people away from cash (at least for the time being). But putting it into practice required an entire ecosystem to move in unison — merchants, consumers, credit card companies, and banks. Something that only a company with the massive reach of Apple could do.
… What Apple demonstrated yesterday was its power as an “impatient convener.”
The term was coined by the first CTO of the US Government, Aneesh Chopra. Chopra, and his successor Todd Park, have thoughtfully used the unique position of the White House to bring together disparate leaders to drive innovation through mutually beneficial agreements. Their thesis, which Chopra describes elegantly in his book Innovative State, is that the White House has the pull to sit people down at the table. When the President calls, you answer. When the President says, you need to come to Washington to discuss something like rolling out a smart-grid technologies nationally, you come. And if you are there and the proposal makes sense, you may actually opt in as well – even if there are no demands or formal requests from on high.


Why Johnny can't manage. As an auditor and a manager, some things leap out in articles like this one.
'Legal pension spiking' will cost California $800 million, audit says
… The audit of the California Public Employees' Retirement System, covering July 2010 through June 2012, found that dozens of government agencies were authorized to engage in what it termed "legal pension spiking," a method of boosting a worker's pay for the final year on the job to fatten future pension checks.
… Auditors found no evidence of illegal spiking but the report said the nation's largest pension system does little to detect it.
For example, the report said a local government that contracts with the pension system, known as CalPERS, would face an audit once every 66 years under current schedules, meaning there would be little opportunity to expose any problems.


There ought to be a law?
Marc Jaycox writes:
EFF, along with more than 70 civil liberties organizations, public interest groups, and companies sent two letters to the House and Senate leadership today. One supported HR 1852, the bipartisan Email Privacy Act, and the other supported Senate companion bill S. 607, the Electronic Communications Privacy Act Amendments Act of 2013 (.pdf). The bills aim to update the Electronic Communications Privacy Act (ECPA), an archaic law that’s been used by the government to obtain emails without getting a probable cause warrant. The bills are sponsored by a wide range of lawmakers like Senators Patrick Leahy and Mike Lee, and Representatives Kevin Yoder, Tom Graves, and Jared Polis.
Read more on EFF.


As a non-lawyer, I don't see why the judge would allow this legal strategy. Defending an “intimidation by surveillance” lawsuit by significantly increasing the surveillance? “We don't need no stinking justification?”
Shirin Sinnar writes:
The discovery stage of national security litigation rarely attracts much interest, at least where it does not involve an invocation of “state secrets” by the federal government. But in the case of Raza v. City of New York, it should. The ACLU lawsuit, filed a year ago in the Eastern District of New York, challenges the NYPD’s pervasive mapping, surveillance, and investigation of Muslim communities, which the plaintiffs argue have significantly harmed their ability to practice their faith and express their views. For over six months now, the NYPD has pursued discovery tactics that seem expressly designed to deter plaintiffs – indeed, anyone who objects to surveillance of political or religious activities – from maintaining suit. If settlement talks apparently underway do not pan out, the court’s resolution of these issues could significantly affect the practical availability of judicial review.
Read more on Just Security.
[From the article:
In response, the NYPD served plaintiffs with sweeping discovery requests into their associations and speech (see here and here for the relevant briefs). Through either interrogatories or document requests, the NYPD seeks the names of all members, donors, or attendees of a charity’s events; the name of every congregant intimidated by NYPD surveillance at a mosque; and all of plaintiffs’ communications concerning “terrorism,” “jihad,” “the war in Afghanistan,” or “current events.” Forcing plaintiffs to identify individuals fearful of government surveillance or disclose years of core religious and political speech would plainly subject them, and their members, to the very chilling effects that the lawsuit seeks to alleviate. The discovery requests here call to mind employers’ attempts to discover the immigration status of workers challenging unfair employment practices, which courts have rejected as crippling immigrants’ ability to bring civil rights claims.


For students in the Gaming Club.
Buying the next generation of coders: Microsoft’s Minecraft gamble
When the news broke last night that Microsoft was in negotiations to buy Minecraft creators Mojang for $2 billion, people quickly started asking "why would Microsoft buy another gaming company?"
… The software industry agrees that we don't know where the next generation of programmers is coming from. School courses focus more on using apps and building web pages than on the fundamentals of writing code, and where they do, they skirt the deep understanding good programmers need.
Microsoft has often been accused of losing an entire generation of developers to the web and to open source (though it's been quick to adopt those technologies in its development tools and platforms, either directly or through its Visual Studio integration program). Its response to criticism has been interesting, with the release of free versions of Visual Studio and an intriguing focus on the gamification of programming.


Free is good! Knowing a bit about the history of an industry makes the contrast with today's world all the more interesting. A few years ago, Baen Publishing made one of their older books available for free download from their website. Sales of the printed books went up. Since then they have made dozens of books available and even include CDs with the collected works of the author in some of their books. They seem to be prospering.
Publishers Gave Away over 120 Million Books During World War II
by Sabrina I. Pacifici on Sep 10, 2014
And, in the process, they created a nation of readers, Yoni Applebaum, The Atlantic: “In 1943, in the middle of the Second World War, America’s book publishers took an audacious gamble. They decided to sell the armed forces cheap paperbacks, shipped to units scattered around the globe. Instead of printing only the books soldiers and sailors actually wanted to read, though, publishers decided to send them the best they had to offer. Over the next four years, publishers gave away 122,951,031 copies of their most valuable titles. “Some of the publishers think that their business is going to be ruined,” the prominent broadcaster H. V. Kaltenborn told his audience in 1944. “But I make this prediction. America’s publishers have cooperated in an experiment that will for the first time make us a nation of book readers.” He was absolutely right. From small Pacific islands to sprawling European depots, soldiers discovered the addictive delights of good books. By giving away the best it had to offer, the publishing industry created a vastly larger market for its wares. More importantly, it also democratized the pleasures of reading, making literature, poetry, and history available to all. Serious books were hard to find before the war. An industry study in 1931highlighted the book trade’s limited audience. Nineteen out of every 20 books sold by the major publishing houses cost more than two dollars, a luxury even before the Depression. Those who could afford them often struggled to find them. Two out of three counties in America lacked any bookstore, or even so much as a department store, drugstore, or other retailer selling enough books to have an account with a publishing house. In rural areas, small towns, and even mid-sized cities, dedicated customers bought their books the way they bought other household goods, picking the titles out of mail-order catalogs. Most did not bother. There was another, less-reputable class of books, though, that enjoyed broader distribution. Cheap mysteries, westerns, and comics could be snapped up at newsstands in paperbound editions that cost far less to produce than hardcover books. Throughout the 1920s and ’30s, publishers tried to take advantage of this format to publish a wider range of books. Most efforts failed. Then, in 1939, two new entrants changed the equation. Pocket Books and Penguin Books each offered a mix of new titles and reprints of hardcover books, including some of a literary bent. More importantly, they sold these paperback books on magazine racks. Americans could put down a quarter and pick up a book all over town, from train stations and drugstores. Within a year, Americans bought 6 million paperback books. By 1943, Pocket Books alone printed 38 million copies.”

(Related) So, how did this happen?
Millennials Are Out-Reading Older Generations
… Millennials, like each generation that was young before them, tend to attract all kinds of ire from their elders for being superficial, self-obsessed, anti-intellectuals. But a study out today from the Pew Research Center offers some vindication for the younger set. Millennials are reading more books than the over-30 crowd, Pew found in a survey of more than 6,000 Americans.
… Overall, Americans are buying more books than they borrow, the study found. Among those who read at least one book in the past year, more than half said they tend to purchase books rather than borrow them. Fewer Americans are visiting libraries than in recent years, but more Americans are using library websites.


Interesting. Probably better for images that long quotes.
Save SlideShare Presentations as Animated GIFs
A new web called GIFDeck helps you convert any presentation hosted on SlideShare into an animated GIF file. All you have to do is specify the deck URL and the app will fetch the individual slides as images and stitches them all together in a single GIF that will auto-play and auto-loop.

Wednesday, September 10, 2014

We know how to detect breaches like this. We just don't bother to look.
Nicole Perlroth reports:
Home Depot confirmed on Monday that hackers had broken into its in-store payments systems, in what could be the largest known breach of a retail company’s computer network.
The retailer said the exact number of customers affected was still not clear. But a person briefed on the investigation said the total number of credit card numbers stolen at Home Depot could top 60 million. By comparison, the breach last year at Target, the largest known attack to date, affected 40 million cardholders.
Read more on NY Times.
[From the article:
The breach may have affected any customer at Home Depot stores in the United States and Canada from April to early last week, said Paula Drake, a company spokeswoman. Customers at Home Depot’s Mexico stores were not affected, nor were online shoppers at HomeDepot.com. Personal identification numbers for debit cards were not taken, she said.
Home Depot has not yet confirmed other details.
The retailer operates 1,977 stores in the United States and 180 in Canada. That is about 400 more than Target had when it was compromised. Target’s breach went on for three weeks before the company learned about it, while the attack at Home Depot went unnoticed for as long as five months.
… Buried in the malware used in the Home Depot attack were links to websites that reference the United States role in the conflict in Ukraine.
… Studies have found that retailers, in particular, are unprepared for such attacks. A joint study by the Ponemon Institute, an independent security research firm, and DB Networks, a database security firm, found that a majority of computer security experts in the United States believed that their organizations lacked the technology and tools to quickly detect database attacks.
Only one-third of those experts said they did the kind of continuous monitoring needed to identify irregular activity in their databases, and 22 percent acknowledged that they did not scan at all.

(Related)
Reuters reports:
At least five states have launched a joint probe into the data breach on the payment-card processing systems of Home Depot, even as the retailer works to determine the impact on its customers in the United States and Canada.
The coordinated effort was disclosed on Tuesday, a day after Home Depot confirmed suspicions that its payment processing systems have been breached.
A spokeswoman for Connecticut Attorney General George Jepsen told Reuters that California, Connecticut and Illinois would lead the multistate effort. New York and Iowa said they would participate.
Read more on CNBC.


Don't use a password on more than one site.
RT reports:
A database of what appears to be some 5 million login and password pairs for Google accounts has been leaked to a Russian cyber security internet forum. It follows similar leaks of account data for popular Russian web services.
The text file containing the alleged compromised accounts data was published late on Tuesday on the Bitcoin Security board. It lists 4.93 million entries, although the forum administration has since purged passwords from it, leaving only the logins.
[...]
The leak comes just days after similar leaks affected Mail.ru and Yandex, both popular Russian internet services. The previous leaks contained 4.66 and 1.26 million accounts respectively.
Read more on RT.
Note that this is not evidence that Google, Mail.ru, or Yandex were hacked, and the two Russian firms deny they were, while Google says it is investigating. As Mohab Ali points out on Twitter this morning: “According to reddit comments, people who found their email addresses found the passwords they used in other websites not gmail.”
@BrianHonan According to reddit comments, people who found their email addresses found the passwords they used in other websites not gmail.
Mohab Ali (@0xAli) September 10, 2014


We have a similar problem. You can lead a student to technology, but you can't make them think.
Convincing Employees to Use New Technology
All of our companies are digital now – or quickly becoming that way. Almost any enterprise you can think of, no matter the industry or sector, is trying (or being pressured by competitors) to use new technology to harness the vast new oceans of data being generated by smartphones, sensors, digital cameras, GPS devices, and myriad other sources of information originating from customers and markets.

Tuesday, September 09, 2014

When? My Ethical Hackers are already planning how to hijack the best parking spots. (I told them they should apply for a Grant!)
When Cars Are as Hackable as Cell Phones
Imagine this future scenario: Self-driving cars form an orderly procession down a highway, traveling at precisely the right following distance and speed. All the on-board computers cooperate and all the vehicles travel reach their destinations safely.
But what if one person jailbreaks her car, and tells her AI driver to go just a little faster than the other cars? As the aggressive car moves up on the other vehicles, their safety mechanisms kick in and they change lanes to get out of the way. It might make the overall efficiency of the transportation lower, but this one person would get ahead.
This is but one of many scenarios that Ryan Gerdes of Utah State University is exploring with a $1.2 million grant from the National Science Foundation to look at the security of the autonomous vehicle future.
… What he's fascinated by is the way that bad actors could use the self-driving cars' algorithms against themselves. The algorithms that guide these cars—at least now—are fairly "deterministic" as he put it. A given set of inputs will yield the same outputs over and over. That makes them prone to manipulation by someone with knowledge of how they work. He can spin out scenario after scenario:
"What happens when you have two advanced cruise control vehicles and the one in front starts accelerating and breaking such that the one behind it starts doing the same thing in a more amplified fashion?"
"We’re looking at the collision avoidance systems. They rely on radar. We think we can manipulate radar sensors to some extent. Is it simple for an attacker to create an obstacle out of thin air?"
"Auto manufacturers always maintain the proper spacing in adaptive cruise control. You might get interesting effects if [someone] crafted certain inputs or misbehaved in a certain way so they create a very large traffic jam."
"If I’m a shipping company and I want to slow down the competition... I can take advantage of their sensors and keep making their cars brake and accelerate. We’ve already demonstrated in theory that it’s possible."
… A 2010 paper found all kinds of security flaws in a modern automobile, including headslappingly simple stuff like allowing the car's control system to be accessed through the radio controller. Install a hackable aftermarket radio and some malicious entity could take control of one's brakes.


For my Computer Security students. See? It can be done!
How quickly can your organization detect and stop a breach?
It looks like the National Committee for Quality Assurance (NCQA) caught one pretty quickly, as it only affected customers making online purchases on September 3 between 2 am and 10 am.
They called those affected, and by September 5, were sending out letters to those affected, telling them that their names, addresses, credit/debit card numbers and card expiration dates were breached.
What a fast breach detection, response, and notification.
Well done, NCQA!


Compare and contrast the article above to this one...
In Wake of Confirmed Breach at Home Depot, Banks See Spike in PIN Debit Card Fraud
Nearly a week after this blog first reported signs that Home Depot was battling a major security incident, the company has acknowledged that it suffered a credit and debit card breach involving its U.S. and Canadian stores dating back to April 2014. Home Depot was quick to assure customers and banks that no debit card PIN data was compromised in the break-in. Nevertheless, multiple financial institutions contacted by this publication are reporting a steep increase over the past few days in fraudulent ATM withdrawals on customer accounts.
The card data for sale in the underground that was stolen from Home Depot shoppers allows thieves to create counterfeit copies of debit and credit cards that can be used to purchase merchandise in big box stores. But if the crooks who buy stolen debit cards also are able to change the PIN on those accounts, the fabricated debit cards can then be used to withdraw cash from ATMs.
… Here’s the critical part: The card data stolen from Home Depot customers and now for sale on the crime shop Rescator[dot]cc includes both the information needed to fabricate counterfeit cards as well as the legitimate cardholder’s full name and the city, state and ZIP of the Home Depot store from which the card was stolen (presumably by malware installed on some part of the retailer’s network, and probably on each point-of-sale device).


Their use of spyware ended in early 2012. The lawsuits may end in 2112. Maybe.
Hilary Niles reports a settlement between Vermont and Aaron’s, a firm that was charged by the FTC and sued civilly by customers over the use of remotely activated spyware that captured images of customers. As reported on this blog in numerous previous entries, the software enabled the franchises to locate lost or stolen laptops, but it also enabled them to track down customers who defaulted on their rental agreements, without the knowledge or consent of customers. In some cases, the spyware reportedly captured sensitive or personal images. Previous coverage on this blog is linked from here. Niles reports:
Three Vermont consumers will collect $2,000 in fines to make up for violations of their privacy by a computer leasing company. The state additionally will collect $45,000 in civil penalties and legal costs from SEI/Aaron’s.
Read more on VTDigger.
The Vermont Attorney General’s Office posted this press release about the case today:


No doubt this will explain everything to everyone's satisfaction.
EPIC (Finally) Obtains Memos on Warrantless Wiretapping Program
by Sabrina I. Pacifici on Sep 8, 2014
More than eight years after filing a Freedom of Information Act request for the legal justification behind the “Warrantless Wiretapping” program of President Bush, EPIC has now obtained a mostly nredacted version of two key memos (OLC54) and (OLC85) by former Justice Department official Jack Goldsmith. EPIC requested these memos just four hours after the New York Times broke the story about the program in December 2005. When the agency failed to release the documents, EPIC filed a lawsuit. The ACLU and the National Security Archive later joined the case. These two Office of Legal Counsel memos offer the fullest justification of the warrantless wiretapping program available to date, arguing that the president has inherent constitutional power to monitor American’s communications without a warrant in a time of war. But some parts of the legal analysis, including possibly contrary authority, are still being withheld. The warrantless wiretapping program was part of “Stellar Wind,” a broad program of email interception, phone record collection, and data collection undertaken by the NSA without the approval of Congress. For more information see EPIC: EPIC v. DOJ: Warrantless Wiretapping Program.”

(Related) Something to think about and then ignore?
International Law and Secret Surveillance: Binding Restrictions upon State Monitoring of Telephone and Internet Activity
by Sabrina I. Pacifici on Sep 8, 2014
CDT: “In the year that has followed Edward Snowden’s first disclosures concerning secret US and UK surveillance practices, many governments, human-rights groups, and UN bodies have debated—and at times disagreed sharply—about whether the Internet and telephone surveillance practices that governments employ today are consistent with international law. With a view to informing these discussions, this report briefly summarizes the current state of international law as it applies to the secret surveillance of communications. Many commentators divide international law into two categories: “hard law,” which is binding upon at least some states, and “soft law,” which includes nonbinding materials such as UN General Assembly resolutions. In order to facilitate a greater degree of understanding and consensus, this report is restricted to major international sources of “hard law.” The report describes two distinct bodies of law: customary international law (specifically, the principle of territorial and political integrity) and international human-rights law. As explained below, these two bodies of law exist independently of one another, meaning that a surveillance practice that does not violate human-rights law may still violate customary international law, and vice versa. The report does not address the special legal regimes that apply during situations of armed conflict. Where international human-rights law is concerned, the report focuses on the right to privacy, freedom of expression, and the right to a remedy, and provides a summary of the applicable case-law of the European Court of Human Rights and Inter-American Court of Human Rights. In this respect, the report is intended to serve as a basic reference work for scholars, practitioners, and activists. Although the applicability of the relevant laws and norms to the United States is described in some detail, the discussion below is relevant to all states’ surveillance practices.”


Have we thought this through?
Tech Firms Ask Congress to Redefine Medical Privacy Rules
Tech firms, including Amazon.com Inc., are asking Congress to redefine the rules on medical privacy, saying the potential risks of disclosure should be weighed again against the potential benefits of wider sharing and easier access to crucial health data.
Executives of tech companies and health organizations have told the House Energy and Commerce Committee in recent months that what they consider an excessively conservative stance on health data privacy is hindering development of new medical technologies and approaches to treatment, and also adding costs to already burdened state and federal budgets.
… Large companies also are looking for changes in HIPAA. Paul Misener, Amazon’s vice president for global public policy, in July told Energy and Commerce that current rules make it difficult to negotiate contracts for cloud computing services.


Clearly, someone needs guidance.
Kim Archer reports that the same state education department that upset the hell out of privacy advocates by publicly posting students’ personal details if they applied for a waiver of state tests still doesn’t grasp their obligations to rigorously protect student privacy:
Some area school officials say the Oklahoma State Department of Education has violated state and federal laws protecting student privacy by releasing information to districts about students who no longer attend their schools.
“If (the students have) left us, we really shouldn’t have access to that information,” said Larry Smith, deputy superintendent at Sapulpa Public Schools.
The data include student grades, disability status, and free and reduced-lunch status.
Read more on Tulsa World.
It would be bad enough if the department had just made a configuration error in its settings and thereby allowed all districts’ personnel to access all students’ data. But for the state to later claim that they are “erring on the side of caution” in limiting access to data that should be limited is concerning, as it suggests that they really don’t get that such privacy and data protection isn’t optional.


For my Computer Security students?
Gadget knocks drones, Google Glass offline
Bothered by gadgets like Google Glass that can, theoretically, be used to snoop on you in public? Then why not get your own gadget that can knock them all offline?
That's what the creators of Cyborg Unplug promise. Billed as a "wireless anti-surveillance system," Unplug is, essentially, a portable router that can detect drones, surveillance cameras and mobile tech like Glass trying to access your Wi-Fi signal and boot them off of it.
… That's Unplug's stated purpose, anyway. But, as its creators freely note, it also has an "All Out Mode" that would let you knock devices off of any wireless network, not just yours.
The company says it doesn't recommend doing that because ... you know ... it's probably really, really illegal.
… To be clear, Cyborg Unplug can't stop anyone from using mobile devices to record or photograph you. It only keeps that data from being streamed afterward.


...and 99 cents here in the US too.
Amazon slashes Fire Phone price to 99 cents ahead of Apple's launch event
Global e-commerce giant Amazon has cut the price of its flagship Fire Phone by US $198 to 99 cents just two months after the maiden smartphone's launch.
… Similar offers have been made available in the UK and Germany, where consumers can get the phone for zero pounds and one euro, respectively under contracts with Amazon's telecom partners.


Is this just a lawyer thing, or a tool for any busy executive?
New on LLRX – Will Lawyers Embrace Wearable Tech, And The Future?
by Sabrina I. Pacifici on Sep 8, 2014
Via LLRX.com - Will Lawyers Embrace Wearable Tech, And The Future? Nicole Black predicts that smartwatches will soon be very popular with lawyers as they offer an easy and unobtrusive way to filter only the most important information received on your smartphone. So if you’re expecting a priority email or phone call, you can program your phone to forward it to your smartwatch so that you’ll receive a subtle vibration on your wrist. This will come in handy when you’re in court, for example. So instead of causing a disruption in the proceedings, you can leave the room quietly and tend to the matter in the hallway with no one else the wiser.


Doh!
Behold, a Database That Tracks More Than 500 Episodes of The Simpsons
… To celebrate the show's quarter-century of existence, fans are being treated to projects that capitalize on this documentary breadth. There's the marathon of the show that's been airing on the cable network FXX; the social media conversation that has accompanied the marathon; the new app, Simpsons World, that will function like a DVD box set for the show, with even more extras. But there's another Simpsons project Fox isn't responsible for: a searchable database. One that has taken every episode of The Simpsons and made it, in its way, interactive. As Homer might put it: "Mmmmmm, searchability."


I have a smart student who wants to add mapping features to her business website.
How You Could Make Your Own Google Maps Using A Drone
Imagine sending a drone to take pictures above your neighborhood, then compiling those photos into an extremely high-resolution, local map. A new piece of software, combined with improved drone technology, means this kind of arrangement is already cheaper than you may think.
Maps Made Easy recently completed their Kickstarter campaign, meaning their software for combining a massive number of aerial photos into a coherent whole will soon be a reality.
… Maps Made Easy, according to Thomas, is a piece of software that stitches images together. It’s not concerned with precise GPS location, making the process relatively simple.


Might be a fun writing project...
– is a free tool for authors and publishers to turn their illustrated children’s books into great-looking Kindle books. Kindle Kids’ Book Creator makes it easy for authors and publishers to import artwork, add text to pages, and preview how their book will look on Kindle devices.


A simple illustration of why I say, “Free is good!”
Kindle vs. iBooks: Which Is The Best eReader For Your iPad or iPhone?
Apple’s iBooks and Amazon’s Kindle (both free) are two of the best apps for reading a book on your iPhone or iPad, and each has its own strengths and weaknesses – so which is right for your reading habits?
… Both Kindle and iBooks are free downloads and if you haven’t yet used them, I encourage you download them both to see which works best for your reading and studying needs.


Please don't shoot the messenger.
A Man’s College Degree Does Have Value: to His Wife
Although a man’s educational level has no impact on his own happiness, a woman married to a man with at least a college degree is about 5% more likely to be very happy with her marriage, according to an analysis of the General Social Survey, funded by the U.S. National Science Foundation. “There seems to be an inherent quality of a man having a college degree that makes a woman happier in marriage,” write economists Bruce T. Elmslie of the University of New Hampshire and Edinaldo Tebaldi of Bryant University. Men, by contrast, seem to have little interest in the educational level of their wives.


An infographic for my students who actually use electronic mail.
How To Write Better Emails


I could have guessed some of these – a couple I've never heard of.
The 100 Books Facebook Users Love
… I’m usually a skeptic of such meme-y Facebook statuses, but people gathering around books that meant something to them melted even my cold heart. So I asked the Facebook Data Science team if this status had gotten “big” enough to attract their attention, and what they had seen in it.
They replied with something I wasn’t expecting: a list of the 20 books most cited by Facebook users who participated in the game.
In a new blog post, they’ve released that list (it’s also below) and some of their methodology.
… Without further ado, here is that list, along with the percentage of statuses that each title appeared in:
  1. The Harry Potter series, J.K. Rowling (appeared in 21.08 percent of all statuses)
  2. To Kill a Mockingbird, Harper Lee (14.48 percent)
  3. The Lord of the Rings series, J.R.R. Tolkien (13.86 percent)
  4. The Hobbit, J.R.R. Tolkien (7.48 percent)
  5. Pride and Prejudice, Jane Austen (7.28 percent)
  6. The Holy Bible (7.21 percent)
  7. The Hitchhiker's Guide to the Galaxy, Douglas Adams (5.97 percent)
  8. The Hunger Games Trilogy, Suzanne Collins (5.82 percent)
  9. Catcher in the Rye, J.D. Salinger (5.70 percent)
  10. The Great Gatsby, F. Scott Fitzgerald (5.61 percent)
  11. 1984, George Orwell (5.37 percent)
  12. Little Women, Louisa May Alcott (5.26 percent)
  13. Jane Eyre, Charlotte Bronte (5.23 percent)
  14. The Stand, Stephen King (5.11 percent)
  15. Gone with the Wind, Margaret Mitchell (4.95 percent)
  16. A Wrinkle in Time, Madeleine L'Engle (4.38 percent)
  17. The Handmaid’s Tale, Margaret Atwood (4.27 percent)
  18. The Lion, the Witch, and the Wardrobe, C.S. Lewis (4.05 percent)
  19. The Alchemist, Paulo Coelho (4.01 percent)
  20. Anne of Green Gables, L.M. Montgomery (3.95 percent)